Joint blind key escrow

ABSTRACT

A computer-implemented method for escrowing secret data in a server of a client-server network, the client-server network comprising: a first client having at least one public and private client key pairs, at least one trusted client having at least one public and private trusted client key pairs, a server having a public and private server key pairs, a blockchain system comprising a plurality of nodes which are configured to store the public keys of the elements of the client-server network. It is also described a computer-implemented method for obtaining secret data of a server wherein the secret data is escrowed with the above computer-implemented method for escrowing secret data in a server. System, computer-readable mediums and computer programs, which are configured to implement or perform said computer-implemented methods, are also described.

RELATED APPLICATIONS

The present application is a continuation application of U.S. patentapplication Ser. No. 16/650,301, filed Mar. 24, 2020, which is a U.S.National Stage Application under 35 U.S.C. § 371 of InternationalApplication No. PCT/EP2018/076227, filed on Sep. 27, 2018, which claimspriority to EP Patent Application No. EP17382642. 1, filed Sep. 27,2017, the contents of which are hereby incorporated by reference intheir entirety.

TECHNICAL FIELD OF THE INVENTION

The invention is related to the field of cryptography. Particularly, itrelates to the field of key escrowing or private data escrowing. Moreparticularly, it relates to a method for escrowing private keys,secrets, passwords or other similar private data by a user.

BACKGROUND INFORMATION

Nowadays due to the characteristics of the digital world, i.e., internetand the forthcoming internet of the things, IoT, secure credentialsmanagement is a delicate task. As secure credentials it should beunderstood any secret data which any user wants to remain in secret inorder to avoid any impersonation, or any unauthorized access to any ofhis personal data, such as a password or a cryptographic key.

Normally, the solution to this problem is boiled down to eitherrequiring the user to store or memorize the secret data, or relying on athird party to do it on behalf of the user.

In the first case, no trust on third parties is needed, but the systemhas many vulnerabilities. If the user memorizes the secret data and saiduser loses or forgets the secret value, there is no way to recover it.This also occurs in the case of the user stores the secret data in amemory, such as a memory stick.

In the second case, the third party may be a malicious party or it maybe hacked. In both situations, the third party could impersonate theuser and access to any secret data of the user such as email account orbank account.

WO 99/04530 describes a system that allows storing encrypted data, withan authority that escrows the keys used to encrypt this data (the KeyRecovery Agent). The keys used to encrypt the data are in turn encryptedwith a key under the control of the Key Recovery Agent. However, the KeyRecovery Agent can unilaterally recover the encrypted data and, e.g.,impersonate the owner of the encrypted data if this data consists ofauthenticating information.

Invisible Ink: Blockchain for Data Privacy discloses a platform thatsecurely distributes encrypted user-sensitive data. International patentapplication WO/2015/135063A1 discloses a system and method for securedeposit and recovery of secret data. Decentralizing Privacy: UsingBlockchain to Protect Persona Data discloses a decentralized personaldata management system that ensures users own and control their data.

Therefore, there is a need that the users can securely escrow privatekeys, passwords or other similar private/secret data and securelyretrieve the escrowed secret data, avoiding any impersonation for anymalicious third party.

SUMMARY

The present invention provides an alternative solution for theaforementioned problems, by a computer-implemented method for escrowingsecret data in a server of a client-server network according to claim 1,a computer-implemented method for obtaining secret data in a server of aclient-server network according to claim 8, a system according to claim13, computer-readable medium according to claims 14 and 15 and computerprograms according to claims 16 and 17. In dependent claims, preferredembodiments of the invention are defined.

In a first inventive aspect, the invention provides acomputer-implemented method for escrowing data in a server of aclient-server network, the client-server network comprising:

-   -   a first client having at least one public and private client key        pairs, at least one trusted client having at least one public        and private trusted client key pairs, wherein the public and        private trusted client key pairs are a public key and    -   a private key related to each trusted client,    -   a server having a public and private server key pairs,    -   a blockchain system comprising a plurality of nodes which are        configured to store the public keys of the elements of the        client-server network, the blockchain system being configured to        ensure the correctness and uniqueness of the public keys stored        in the plurality of nodes,

wherein the method comprises the following steps:

-   -   a) fetching by the first client from the blockchain system the        public key of a trusted client,    -   b) cryptographically blinding by the first client, a secret data        with a random value obtaining a first blinded secret,    -   c) signing by the first client, the first blinded secret,        obtaining a digital signature of the first blinded secret,    -   d) encrypting by the first client, the first blinded secret and        the digital signature of the first blinded secret using the        public key of the trusted client obtaining a first public        encrypted secret,    -   e) sending by the first client to the server, the first public        encrypted secret,    -   f) forwarding by the server to the trusted client, the first        public encrypted secret,    -   g) when the trusted client receives the first public encrypted        secret from the server, fetching by the trusted client from the        blockchain system the public key of the first client and        decrypting by the trusted client the first public encrypted        secret using its private key obtaining the first blinded secret,    -   h) verifying by the trusted client the digital signature of the        first blinded secret using the public key of the first client,        if the digital signature is valid the method continues in step        i),    -   i) blindly encrypting by the trusted client, the first blinded        secret with a random secret key obtaining a second blinded        secret,    -   j) signing by the trusted client, the second blinded secret,        obtaining a digital signature of the second blinded secret,    -   k) encrypting by the trusted client, the second blinded secret        and the digital signature of the second blinded secret using the        public key of the first client obtaining a second public        encrypted secret,    -   l) sending by the trusted client to the server, the second        public encrypted secret,    -   m) forwarding by the server to the first client, the second        public encrypted secret,    -   n) when the first client receives the second public encrypted        secret from the server, decrypting by the first client the        second public encrypted secret using its private key obtaining        the second public encrypted secret,    -   o) verifying by the first client the digital signature of the        second blinded secret using the public key of the trusted        client, if the digital signature is valid the method continues        in step p),    -   p) cryptographically unblinding by the first client second        blinded secret with the random value, obtaining an encrypted        secret,    -   q) signing by the first client, the encrypted secret using the        private key of the first client obtaining a digital signature of        the encrypted secret,    -   r) sending by the first client to the server, the encrypted        secret and the digital signature of the encrypted secret,    -   s) when the server receives the encrypted secret and the digital        signature of the encrypted secret, verifying the digital        signature of the encrypted secret using the public key of the        first client, and if the digital signature of the encrypted        secret is valid, encrypting by the server, the encrypted secret        with the public key of the server obtaining a double-encrypted        secret and storing the double-encrypted secret in the server.

Throughout this entire document, secret data will be understood as anydata which is only known by the first client, for example, a password ora cryptographic key. The secret data is additionally a digital file.

The client-server network interconnects clients through servers and italso comprises a blockchain system. In this invention, the blockchain isa distributed database wherein the nodes store the public keys ofclients of the entire client-server network, and the clients and theserver of the client-server network are configured to access to the datastored in the blockchain system. In one embodiment, the public key isassociated with a name o ID, for example, the public key of the firstclient is associated with the name “User1” and the public key of onetrusted client is associated with the name “User2”.

The blockchain system stores which user has registered the public keys.Advantageously, it specifically ensures that client public keys are notmodified surreptitiously or recently modified during the performance ofthe method. Additionally, it also ensures the correctness and uniquenessof said public key.

In the context of the invention the public keys of each client belong toan asymmetric cryptosystem. As an asymmetric cryptosystem, it should beunderstood a cryptosystem where the private key is kept private orsecret by the computer and the public key is public to any third party.Therefore, any data encrypted with the public key can be only decryptedusing its correspondence private key.

As a digital signature it should be understood as mathematical schemefor demonstrating the authenticity of digital messages or documents. Avalid digital signature gives a recipient reason to believe that themessage was created by a known sender, that the sender cannot denyhaving sent the message, and that the message was not altered intransit. In this case, a private key is used to generate the digitalsignature, while its corresponding public key is used to verify saidsignature.

Additionally, singing any data and verifying the digital signature ofsaid data it should be understood as applying any of the protocols inpublic cryptosystems. In one embodiment, the public cryptosystems forsign and verify in steps c), h), j), o), q) and s) may be RSA, ElGamalor DSA. In one embodiment, the server comprises all the public keys ofthe clients registered in the blockchain system. As the digitalsignature of the encrypted secret is signed with the private key of thefirst user, the server can verify if said digital signature is signed bythe first user using the public key of the first user. In otherembodiment, the server can fetch the public key of the first client uponreceiving the first public encrypted secret of said first client. Inother embodiment, there is a previous step from step a) where the serverfetches the public keys of the clients registered in the blockchainsystem. Advantageously, no other client can impersonate to store secretsin server as the first client.

It should be understood in the context of the invention that a client isan electronic device such as a computer, a smartphone or tablet where atleast one process can be executed by the electronic device. In otherembodiment, a client may be a process running inside said electronicdevice, and therefore, the electronic device may comprise two clients.Additionally, a trusted client is a client of the client-server networkwherein a different client chooses it in order to escrow the data.

As cryptographically blinding it should be understood as a process whichencodes determined data using an algorithm, such that other parties canstill processing with the encoded data, without knowing its meaning ofsaid encoded data. As a consequence, cryptographically unblinding is thereverse process of cryptographically blinding which is configured toobtain the data from the encoded data. In one embodiment,cryptographically blinding and cryptographically unblinding compriseapplying the same mathematical operator.

As blindly encrypting it should be understood as a process of encryptingdata that has been cryptographically blinded in advance. Thus, theentity encrypting the blinded data does not gain any knowledge of thedata that is being encrypted.

Advantageously, the computer-implemented method for escrowing dataavoids the impersonation of any third party, either the trusted clientor the server. As a security layer is always applied to the secret databefore leaving the first client, the resistance against theimpersonation is increased. Security layer should be understood as anyencryption or blinding process or digital signatures performed or sentin the secret data. In particular, the following security layers areincluded when the secret leaves any of the client users:

-   -   in step e) when first public encrypted secret is sent, it        comprises a double security layer added in steps b) and d) of        the method. This number of security layers is also maintained in        step f).    -   in step l) when second public encrypted secret is sent, it        comprises a triple security layer added in steps b), i) and k)        of the method.    -   in step r) when private encrypted secret is sent, it comprises a        security layer added in step i) of the method. Additionally,        this security layer is stronger against any attack because        breaking it will require collusion between the server and the        trusted client.

Finally, when the secret data is escrowed in the server, i.e., thedouble-encrypted secret, it has a double security layer added in stepsi) and s) of the present invention. Due to the number of security layersand its components, any malicious third party which wants to tamper orimpersonate the information is not able to access to the secret databecause said third party would need the information used in the processperformed in steps b), c), d), i), j), k), p), q) and/or s) of themethod.

As it can be clearly appreciated, the first inventive aspect does notuse any password, i.e. is passwordless. Thus for clarification, thefirst inventive aspect can be also defined as a computer-implementedmethod for passwordless escrowing secret data.

It should be understood that a password and a random value are differentconcepts and features. A password is an element that must be stored in along period of time, such as months or years, and it cannot be deletedor missed. On the other hand, the random value is an element that maynot be maintained in a long period of time and it may be deleted. Forexample, it can be appreciated that the first client may delete the usedrandom value after step p), and the first client may continue normallyescrowing the secret using the method of the invention.

In a particular embodiment, any sending in the client-server networkbetween the first client, the trusted client and the server is ciphered,preferably using transport layer security, TLS.

In a particular embodiment, cryptographically blinding in step b)comprises,

-   -   calculating by the first client the random value,    -   computing by the first client a bitwise XOR of the random value        and the secret data obtaining the first blinded secret.

In a particular embodiment, cryptographically unblinding in step p)comprises computing by the first client a bitwise XOR of the randomvalue and the second blinded secret obtaining the encrypted secret.

In a particular embodiment, blindly encrypting in step i) comprises:

-   -   calculating by the trusted client the random secret key,    -   computing by trusted client a bitwise XOR of the random secret        key and the first blinded secret obtaining the second blinded        secret.

The above embodiments use one or more random values in order to add asecurity layer to the process of escrowing the secret data, whichadvantageously avoids that the trusted client can access to the secretdata.

In a particular embodiment, encrypting in step d) further comprisesencrypting by the first client, the first blinded secret and a biometricauthenticating data of the first client using the public key of thetrusted client obtaining the first public encrypted secret.

In a particular embodiment, the step i) further comprises storing by thetrusted client, the biometric authenticating data of the first client.

The biometric authenticating data are data related with a measurement ofa human characteristic such as the finger print, iris and/or retina.

In a particular embodiment, step a) further comprises checking by thefirst client in the blockchain system, the identity of the at least onetrusted client which stored the public key of the trusted client.

In a particular embodiment, step g) further comprises checking by thetrusted client in the blockchain system, the identity of the firstclient which stored the public key of the first client.

As identity should be understood the parameter which identifies aclient. Due to the features of the blockchain system, any client of theclient-server network which performs any registration in said system isregistered on the blockchain system, where registration on theblockchain system means writing its public key in said blockchainsystem. Thus, if the first client registers its public key, it isregistered the public key, the client to which belongs said key and theclient which has performed the registration in the blockchain system.Thus, in the above embodiments, the first client and the trusted clientmay use the blockchain system to check any modifications on the publickey for authentication in the above mentioned embodiments.Advantageously, these embodiments ensure that client public keys are notmodified surreptitiously.

In a second inventive aspect, the invention provides acomputer-implemented method for obtaining secret data of a server of aclient-server network, wherein said secret data is escrowed with acomputer-implemented method according to any of the embodiments of thefirst inventive aspect,

wherein the client-server network comprising:

-   -   a first client having at least one public and private client key        pairs,    -   at least one trusted client having at least one public and        private trusted client key pairs, wherein the public and private        trusted client key pairs are a public key and a private key        related to each trusted client,    -   a server having a public and private server key pairs,    -   a blockchain system comprising a plurality of nodes which are        configured to store the public keys of the elements of the        client-server network, the blockchain system being configured to        ensure the correctness and uniqueness of the public keys stored        in the plurality of nodes,

wherein the method comprises the following steps:

-   -   1) requesting by the first client to the server, the        double-encrypted secret of the first client,    -   2) when the server receives the request, decrypting by the        server the double-encrypted secret using its private key        obtaining the encrypted secret,    -   3) sending by the server to the first client, the encrypted        secret,    -   4) when the first client receives the encrypted secret from the        server, generating by the first client a second public and        private client key pairs,    -   5) fetching by the first client from the blockchain system the        public key of a trusted client and encrypting by the first        client, the second public client key with the public key of the        trusted client obtaining an encrypted second public client key,    -   6) sending by the first client to the server, the encrypted        second public client key,    -   7) forwarding by the server to the trusted client, the encrypted        second public client key,    -   8) when the trusted client receives the encrypted second public        client key from the server, decrypting by the trusted client the        encrypted second public client key using its private key        obtaining the second public client key and encrypting the random        secret key with the second public client key obtaining an        encrypted random secret key,    -   9) sending by the trusted client to the server, the encrypted        random secret key,    -   10) forwarding by the server to the first client, the encrypted        random secret key,    -   11) when the first client receives the encrypted random secret        key, decrypting by the first client the encrypted random secret        key using its second private key obtaining the random secret        key,    -   12) decrypting by the first client the encrypted secret using        the random secret key obtaining the secret.

As it can be clearly appreciated, the second inventive aspect does notuse any password, i.e. is passwordless. Thus for clarification and asthe first inventive aspect, the second inventive aspect can be alsodefined as a computer-implemented passwordless method for obtainingsecret data of a server of a client-server network.

As it has been commented in the second inventive aspect, the firstclient does not require the random value to obtain the escrowed secret.Thus in view of the definition of password, as the method disclosed inthe first and second inventive aspects do not require to store anyfurther numbers or text during a long period of time, i.e., they do notuse any passwords, said methods are passwordless.

It should be understood that “said escrowed secret data is escrowed witha computer-implemented method according to any of the embodiments of thefirst inventive aspect”, is similar to that the method comprises aprevious step of escrowing a secret data according to any of theembodiments of the computer-implemented method of the first inventiveaspect.

Advantageously, the random secret key is encrypted with a second publickey which only is known by the first client and the trusted client.Additionally, the computer-implemented method for obtaining escroweddata avoids the impersonation of any third part including the trustedclient and server, because of the introduced cryptographic mechanisms.

In one embodiment, wherein the secret data is escrowed with thecomputer-implemented method according to the embodiment, wherein thestep i) of blinding encrypting of the first inventive aspect comprisescalculating by the trusted client a random secret key, and computing bytrusted client a bitwise XOR of the random secret key and the firstblinded secret obtaining the second blinded secret. In this embodiment,decrypting in step 12) comprises computing by the first client a bitwiseXOR of the random secret key and the encrypted secret obtaining thesecret data.

As it is above indicated, it should be understood that, “wherein thesecret data is escrowed with the computer-implemented method accordingto the embodiment of the first inventive aspect, wherein the step i) ofblinding encrypting of the first inventive aspect further comprisescalculating by the trusted client a random secret key and computing bytrusted client a bitwise XOR of the random secret key and the firstblinded secret obtaining the second blinded secret”, is similar to themethod comprises a previous step of escrowing a secret data according tothe embodiment of the computer-implemented method of the first inventiveaspect, wherein the step i) of the first inventive aspect furthercomprises calculating by the trusted client a random secret key andcomputing by trusted client a bitwise XOR of the random secret key andthe first blinded secret obtaining the second blinded secret.

Advantageously, this embodiment allows obtaining an escrowed secret datafrom XOR-based blind encryption.

In one embodiment, wherein the secret data is escrowed with thecomputer-implemented method according to the embodiment of the firstinventive aspect, wherein the step d) of encrypting further comprisesencrypting by the first client, the first blinded secret, the digitalsignature of the first blinded secret and a biometric authenticatingdata of the first client using the public key of the trusted clientobtaining a first public encrypted secret, and wherein the step i)further comprises storing by the trusted client, the biometricauthenticating data of the first client, encrypting in step 5) furthercomprises encrypting the second public client key and a biometricauthenticating data of the first client with the public key of thetrusted client obtaining the encrypted second public client key.

In one embodiment, the step 8) further comprises verifying the biometricauthenticating data of the first client, and if the biometricauthenticating data of the first client is valid continue with step 9)and if the biometric authenticating data of the first client is invaliddeleting the second public client key.

In the above embodiments, the biometric authenticating data of the firstclient has been firstly stored in step i) of the method of the firstinventive aspect. Now, the trusted client only has to check if thebiometric authenticating data received in step 8) is similar that thebiometric authenticating data of the first client has been firstlystored in step i) of the method of the first inventive aspect. As thebiometric authenticating data is exclusively related to one user of thefirst client, any man-in the middle attack is advantageously avoided.Advantageously, the above embodiments also increase the security of thetransmissions between the first user and the trusted client and enhancethe integrity of the data because avoid that none non-legitimate clientobtains the random secret key.

In a particular embodiment, step 5) further comprises checking by thefirst client in the blockchain system, the identity of the trustedclient which stored the public key of the trusted client.

As it has been commented in the first inventive aspect, the first clientchecks on the blockchain system if the public key from the trustedclient has been subjected to any suspicious modification. In that case,the first client advantageously detects that said key has been modifiedsurreptitiously and stops.

All the embodiments of the computer-implemented methods of the first andsecond inventive aspects may be coordinated by the first client. Withrespect to the computer-implemented method of the first inventiveaspect, in the step e) the first client additionally orders that thecontent received by the server must be forward to the trusted client.Additionally, the message comprises instructions for the trusted client:the trusted client must sent back a blindly encrypted version of thecontent of the message, the first public encrypted secret, encryptedwith the public key of the first client. In step r) the first clientadditionally orders to secure store content received by the server.

With respect to the computer-implemented method of the second inventiveaspect, in the step 6) the first client additionally orders that thecontent received by the server must be forward to the trusted client.Additionally, the message comprises instructions to the trusted client:the trusted client must sent back the random secret key encrypted withthe second public client key.

In other embodiments of the computer-implemented methods of the firstand second inventive aspects, other types of blind encryption or blinddecryption may be applicable, for example, the blind decryption schemedescribed in the document of Matthew Green: Secure Blind Decryption.IACR Cryptology ePrint Archive 2011: 109 (2011). The only requirement isthat the secret data that is encrypted in the method of the firstinventive concept can be decrypted using the method of the secondinventive concept, without the trusted party having access to the secretdata in the clear at any moment. Similar requirement is needed to theprocesses of cryptographically blinding and the cryptographicallyunblinding.

In a third inventive aspect, the invention provides a system comprising

-   -   a server configured to perform the method steps of the method        according to any of the previous embodiments when they are        referred to the server,    -   a first electronic device in communication to the server through        a telecommunications network configured to perform any of the        method steps according to any of the previous embodiments when        they are referred to the first client,    -   a second electronic device in communication to the server        through a telecommunications network configured to perform any        of the method steps according to any of the previous embodiments        when they are referred to the trusted client.

The system of the third inventive aspect is configured to escrow secretdata in a server when the server, the first electronic device and thesecond electronic device perform any of the computer-implemented methodsteps of any of embodiments of the first inventive aspect. Additionally,the system of the third inventive aspect is also configured to obtainingescrowed secret data when the server, the first electronic device andthe second electronic device perform any of the computer-implementedmethod steps of any of embodiments of the second inventive aspect.

In a fourth inventive aspect, the invention provides a computer-readablemedium comprising instructions which, when executed by a computer,causes the computer to carry out the steps of the method of any of theembodiments of the first inventive aspect.

In a fifth inventive aspect, the invention provides a computer-readablemedium comprising instructions which, when executed by a computer,causes the computer to carry out the steps of the method of any of theembodiments of the second inventive aspect.

In a sixth inventive aspect, the invention provides a computer programcomprising computer program code which, when executed by a computer,causes the computer to carry out the steps of the method of any of theembodiments of the first inventive aspect.

In a seventh inventive aspect, the invention provides a computer programcomprising computer program code which, when executed by a computer,causes the computer to carry out the steps of the method of any of theembodiments of the second inventive aspect.

All the features described in this specification (including the claims,description and drawings) and/or all the steps of the described methodcan be combined in any combination, with the exception of combinationsof such mutually exclusive features and/or steps.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other characteristics and advantages of the invention willbecome clearly understood in view of the detailed description of theinvention which becomes apparent from a preferred embodiment of theinvention, given just as an example and not being limited thereto, withreference to the drawings.

FIG. 1 This figure shows an embodiment according to the invention of acomputer-implemented method for escrowing data in a server.

FIG. 2 This figure shows an embodiment of the updating process of thepublic key of a client a blockchain system.

FIG. 3 This figure shows an embodiment according to the invention of acomputer-implemented method for obtaining escrowed data of a server.

DETAILED DESCRIPTION

FIGS. 1 to 3 show embodiments of the present invention. In particular,in said figures it is also represented a system configured to implementthe computer-implemented method for escrowing secret data in a server ofthe present invention, and the computer-implemented method for obtainingthe escrowed secret data of a server of the present invention.

In FIGS. 1 and 3, it can be appreciated a schematic representation ofthe system. In particular, the client-server network comprises a firstclient (101), a server (102) and a trusted client (103). The elements ofthe client server-network may be connected via Ethernet cable orwireless. Also the elements may be located in different local networksor in the same network. Additionally, FIG. 2 describes the connectionbetween the blockchain system and the clients of the client-servernetwork.

FIG. 1: Escrowing Secret Data (1)

FIG. 1 shows an example of the implementation by the first client (101)of the computer-implemented method for escrowing data in a server (102)of the invention. In this embodiment, the server (102) comprises all thepublic keys of the clients registered in the blockchain system. In otherembodiment, the server may fetch the public key of the first client uponreceives the first public encrypted secret of said first client. Inother embodiment, there is a previous step from step a) where the serverfetches the public keys of the clients registered in the blockchainsystem.

Firstly, the first client (101) fetches (104) the public key of thetrusted client (103) from the blockchain system. As the first client isregistered in the blockchain system, the first client can fetch to anyof the data stored in said blockchain system, in this case, the publickey of the trusted client (103). Thus, in this embodiment the blockchainsystem is a private blockchain, for example, a private HyperledgerFabric blockchain or a private Ethereum blockchain, because only theclients or server registered can fetch the information of the blockchainsystem.

In other embodiments, the blockchain system is a public blockchain whereany entity may access to the data stored on the blockchain system. Inthese embodiments, blockchain system may be Namecoin, Certcoin orBlockstack systems.

Then, the first client cryptographically blinds (105) a secret data (1).In this embodiment the secret data (1) is a password of the first client(101), “0x5678”. Further, the blinding process (105) is performed byfirstly calculating a random value, “0x1234”, and applying a bitwise XORobtaining a first blinded secret. In particular, the random value is“0x1234” and the first blinded secret is obtained as follows:

first blinded secret=XOR(secret data,randomvalue)=XOR(0x5678,0x1234)=0x444C

In this embodiment in order to enhance the security of the method, thefirst client (101) uses its biometric authenticating data from hisfinger print. In other embodiments, the source of biometric data may bedifferent, for example, biometric data based on retina or iris.

Then, the first client (101) signs (106) the first blinded secret,obtaining a digital signature of the first blinded secret, and encrypts(106) the first blinded secret, “0x444C”, the biometric authenticatingdata and the digital signature of the first blinded secret using thepublic key of the trusted client (103) obtaining a first publicencrypted secret.

The first user (101) sends (107) the first public encrypted secret tothe server (102), and the server (102) forwards (108) it to the trustedclient (103, 303).

When the trusted client (103) receives the first public encrypted secretfrom the server (102), the trusted client (103) fetches (109) from theblockchain system the public key of the first client (101). Then, thetrusted client (103) decrypts (110) the first public encrypted secretusing its private key obtaining the first blinded secret, “0x444C”. Inthis stage, it can be appreciated that the trusted client (103) does nothave access to the secret data (1) avoiding any possibility ofimpersonation. Additionally, the trusted client (103) verifies (111) thedigital signature of the first blinded secret using the public key ofthe first client (101) and stores the biometric authenticating data. Ifthe verifying is failed, the trusted client (103) deletes the firstblinded secret, “0x444C” and the method stops.

If the verifying is valid, the trusted client (103) further blindlyencrypts (112) the blinded secret with a random secret key obtaining asecond blinded secret as follows:

-   -   calculating the random secret key, “0x90AB”, and    -   computing a bitwise XOR of the first blinded secret 0x444C,        random secret key 0x90AB, i.e:

second blinded secret=XOR(first blinded secret,random secretkey)=XOR(0x444C,0x90AB)=0xD4E7

being the second blinded secret 0xD4E7. Then, the trusted client (103)signs (113) the second blinded secret, obtaining a digital signature ofthe second blinded secret and encrypts (113) the second blinded secret“0xD4E7” and the digital signature of the second blinded secret usingthe public key of the first client (101) obtaining a second publicencrypted secret, and sends (114) the second public encrypted by thetrusted client (103, 303) to the server (102, 302) which in turnforwards (115) it to the first client (101).

When the first client (101) receives the second public encrypted secretfrom the server (102), the first client (101) decrypts (116) the secondpublic encrypted secret using its private key obtaining the secondblinded secret, “0xD4E7”. Then, the first client (101) verifies (117)the digital signature of the second blinded secret using the public keyof the trusted client (103, 303), and if the digital signature is valid,it further cryptographically unblinds (118) the second blinded secretwith the random value obtaining an encrypted secret as follows:

-   -   computing a bitwise XOR of the first blinded secret 0x444C,        random value 0x1234, i.e:

encrypted secret=XOR(second blinded secret,randomvalue)=XOR(0xD4E7,0x1234)=0xC6D3

being the encrypted secret 0xC6D3. At this point, 0xC6D3 is anencryption of the secret data (1) of the first user, “0x5678” with therandom secret key of the trusted client “0x90AB”.

Then, the first client (101) signs (119) the encrypted secret using theprivate key of the first client (101) obtaining a digital signature ofthe encrypted secret and sends (120) by the first client (101, 301) tothe server (102, 302), the encrypted secret and the digital signature ofthe encrypted secret.

Finally, when the server (102) receives the private encrypted secret andthe digital signature of the encrypted secret, it verifies (121) thedigital signature of the encrypted secret and if the digital signatureof the encrypted secret is valid, the server encrypts (122) theencrypted secret with the public key of the server (102) obtaining adouble-encrypted secret and stores (123) the double-encrypted secret inthe server (102).

FIG. 2: Public Key Register Blockchain System (202)

FIG. 2 disclosed an embodiment of the computer-implemented method forescrowing data in a server (102) of the present invention. Inparticular, FIG. 2 represents a previous step of step a), where thefirst client (201) registers its public key in the blockchain system(202). Firstly, the first client (201) creates (203) a messagecomprising the public key of the first client (201) and itsidentification “User1”. Secondly, the first client (201) signs (204) themessage with his private key and sends (205) the signed message to theblockchain system (202).

Then, the signed message is verified (206) by the nodes of theblockchain system (202), which check the validity of the digitalsignature and that no client with name User1 already exists. If the namewas not registered previously, the global state of the blockchain isupdated to include this relationship. The result accept, if thesignature is valid, or reject, if the signature is invalid, of thisdecentralized write operation is eventually returned (207) to the firstclient (201) via a message from the blockchain system (202).

Modifications to the established association between user name and keymay be performed, for example, to update an old key. In this case, therequest is signed by the previously associated key. Further, this caseshould be considered an additional embodiment of thecomputer-implemented method for escrowing data in a server (102) of thepresent invention. In particular, there is a previous step from step a)of updating the public key of the first client (202) in the blockchainsystem (202) which comprises sending a message comprising the new publickey of the first client (201) and its identification “User1” wherein themessage is signed with the old public key. Then, the signed message isverified (206) by the nodes of the blockchain system (202), which checkthe validity of the digital signature and that no client with name User1already exists. As the name was registered previously, the global stateof the blockchain is updated to include the new public key associated tothis name. The result accept, if the signature is valid, or reject, ifthe signature is invalid, of this decentralized write operation iseventually returned (207) to the first client (201) via a message fromthe blockchain system (202).

Therefore, any interested client or server registered in the blockchainsystem (202), is thus able to access the blockchain system and searchfor needed keys associated to specific user names, for example, as isrequired in steps 104 and 109 of FIG. 1 or in the step of verifying thedigital signature of the encrypted secret.

The above example, also applies to any of the elements of the system inorder to registers its public key in the blockchain system (202).

FIG. 3: Obtaining Secret Data (1)

FIG. 3 shows an example of the implementation by the first client (301)of the computer-implemented method for obtaining escrowed data of aserver (302) of the invention. Normally, this situation occurs when thefirst client (101, 301) losses all his data. Firstly, the first client(301) requests (304) to the server (302), the double-encrypted secret ofthe first client (301). The secret of the first client (301) has beenescrowed as in illustrated in FIG. 1, thus the double-encrypted secretis stored in the server (102, 302). This is similar to perform aprevious step of escrowing a secret data according to the embodimentdisclosed in FIG. 1.

When the server (302) receives the request, it decrypts (305) thedouble-encrypted secret using its private key obtaining the encryptedsecret, 0xC6D3, and sends (306) the encrypted secret to the first client(301).

When the first client (301) receives the encrypted secret from theserver (302), it generates (307) a second public and private client keypairs. Then, the first client fetchs (308) from the blockchain system(202) the public key of the trusted client (303) and encrypts (308) thesecond public client key and the biometric authenticating data from hisfinger print with the public key of the trusted client (303) obtainingan encrypted second public client key and sends (309) it to the server(302). Then, the server (302) forwards (310) the encrypted second publicclient key to the trusted client (303).

When the trusted client (303) receives the encrypted second publicclient key, it decrypts (311) the encrypted second public client keyusing its private key obtaining the second public client key and thebiometric authenticating data. Additionally, the trusted client (303)verifies the biometric authenticating data comparing if the biometricauthenticating data is equal to the biometric authenticating data storedin step i) in the trusted client (303). If the biometric authenticatingdata are different the trusted client (303) deletes second public clientkey.

If the biometric authenticating data are similar, the first client (301)encrypts (312) the random secret key “0x90AB” with the second publicclient key obtaining an encrypted random secret key. Then, the trustedclient (303) sends (313) the encrypted random secret key to the server(102, 302), who forwards (314) the encrypted random secret key to thefirst client (301).

When the first client (301) receives the encrypted random secret key, itdecrypts (315) by the first client (101, 301) the encrypted randomsecret key using its second private key obtaining the random secret key,“0x90AB”.

Finally, the first client (101, 301) decrypts (316) the encryptedsecret, 0xC6D3, with the random secret key, 0x90AB, by computing by thefirst client (101, 301) a bitwise XOR of the encrypted secret and therandom secret key, obtaining the secret data (1) 0x5678, as follows

secret data=XOR(encrypted secret,)=X0R(0xC6D3 0x90AB)=0x5678

Advantageously, the random secret key is encrypted with a second publickey which only is known by the first client and the trusted client.Additionally, as the first client (301) recovers from the blockchainsystem the public key of the trusted client (303), which is later usedto encrypt their communications, no man in the middle attacks arepossible. Note that this includes the reception by the trusted client(303) of the second public key of the first client (301), which is usedto encrypt the random secret key. Hence, the first client (301) knowsthat only the received data came from the trusted client (303).

What is claimed is:
 1. A computer-implemented method for passwordlessescrowing secret data in a server of a client-server network, theclient-server network comprising: a first client having at least onepublic and private client key pairs, at least one trusted client havingat least one public and private trusted client key pairs, wherein thepublic and private trusted client key pairs are a public key and aprivate key related to each trusted client, a server having a public andprivate server key pairs, a blockchain system comprising a plurality ofnodes which are configured to store the public keys of the first client,the at least one trusted client, and the server, wherein the methodcomprises the following steps: a) fetching, by the first client from theblockchain system, the public key of a trusted client, and checking, bythe first client, in the blockchain system, an identity of the trustedclient which stored the public key of the trusted client, b)cryptographically blinding, by the first client, a secret data with arandom value obtaining a first blinded secret, c) signing, by the firstclient, the first blinded secret, obtaining a digital signature of thefirst blinded secret, d) encrypting, by the first client, the firstblinded secret and the digital signature of the first blinded secretusing the public key of the trusted client obtaining a first publicencrypted secret, e) sending, by the first client to the server, thefirst public encrypted secret, f) forwarding, by the server to thetrusted client, the first public encrypted secret, g) when the trustedclient receives the first public encrypted secret from the server,fetching, by the trusted client from the blockchain system, the publickey of the first client ensuring the correctness and uniqueness of saidpublic key of the first client, and decrypting, by the trusted client,the first public encrypted secret using the private key of the trustedclient obtaining the first blinded secret, h) verifying, by the trustedclient, the digital signature of the first blinded secret using thepublic key of the first client.
 2. The computer-implemented methodaccording to claim 1, wherein if the digital signature is valid themethod further comprises: i) blindly encrypting, by the trusted client,the first blinded secret with a random secret key obtaining a secondblinded secret, j) signing, by the trusted client, the second blindedsecret, obtaining a digital signature of the second blinded secret, k)encrypting, by the trusted client, the second blinded secret and thedigital signature of the second blinded secret using the public key ofthe first client obtaining a second public encrypted secret, l) sending,by the trusted client to the server, the second public encrypted secret,m) forwarding, by the server to the first client, the second publicencrypted secret, n) when the first client receives the second publicencrypted secret from the server, decrypting, by the first client, thesecond public encrypted secret using the private key of the first clientobtaining the second blinded secret, o) verifying, by the first client,the digital signature of the second blinded secret using the public keyof the trusted client.
 3. The computer-implemented method according toclaim 2, wherein the blindly encrypting in step i) comprises:calculating by the trusted client the random secret key, and computingby trusted client a bitwise XOR of the random secret key and the firstblinded secret obtaining the second blinded secret.
 4. Thecomputer-implemented method according to claim 2, wherein if the digitalsignature is valid at o), the method further comprises: p)cryptographically unblinding, by the first client, the second blindedsecret with the random value, obtaining an encrypted secret, q) signing,by the first client, the encrypted secret using the private key of thefirst client obtaining a digital signature of the encrypted secret, r)sending, by the first client to the server, the encrypted secret and thedigital signature of the encrypted secret, s) when the server receivesthe encrypted secret and the digital signature of the encrypted secret,verifying the digital signature of the encrypted secret using the publickey of the first client, and if the digital signature of the encryptedsecret is valid, encrypting, by the server, the encrypted secret withthe public key of the server obtaining a double-encrypted secret andstoring the double-encrypted secret in the server.
 5. Thecomputer-implemented method according to claim 4, wherein thecryptographically unblinding in step p) comprises computing by the firstclient a bitwise XOR of the random value and the second blinded secretobtaining the encrypted secret.
 6. The computer-implemented methodaccording to claim 1, wherein the cryptographically blinding in step b)comprises, calculating by the first client the random value, computingby the first client a bitwise XOR of the random value and the secretdata obtaining the first blinded secret.
 7. The computer-implementedmethod according to claim 1, wherein the encrypting in step d) comprisesfurther encrypting by the first client, a biometric authenticating dataof the first client using the public key of the trusted client obtainingthe first public encrypted secret.
 8. A system comprising: a firstclient having at least one public and private client key pairs; at leastone trusted client having at least one public and private trusted clientkey pairs, wherein the public and private trusted client key pairs are apublic key and a private key related to each trusted client, a serverhaving a public and private server key pairs, a blockchain systemcomprising a plurality of nodes which are configured to store the publickeys of the first client, the at least one trusted client, and theserver; wherein a) the first client is configured to fetch from theblockchain system the public key of a trusted client, and check, in theblockchain system, an identity of the trusted client which stored thepublic key of the trusted client, b) the first client is configured tocryptographically blind a secret data with a random value obtaining afirst blinded secret, c) the first client is configured to sign thefirst blinded secret, obtaining a digital signature of the first blindedsecret, d) the first client is configured to encrypt the first blindedsecret and the digital signature of the first blinded secret using thepublic key of the trusted client obtaining a first public encryptedsecret, e) the first client is configured to send, to the server, thefirst public encrypted secret, f) the server is configured to forward,to the trusted client, the first public encrypted secret, g) the trustedclient is configured to, when the trusted client receives the firstpublic encrypted secret from the server, fetch from the blockchainsystem the public key of the first client ensuring the correctness anduniqueness of said public key, and decrypt the first public encryptedsecret using the private key of the trusted client obtaining the firstblinded secret, h) the trusted client is configured to verify thedigital signature of the first blinded secret using the public key ofthe first client.
 9. The system according to claim 8, wherein: i) thetrusted client is configured to blindly encrypt the first blinded secretwith a random secret key obtaining a second blinded secret, j) thetrusted client is configured to sign the second blinded secret,obtaining a digital signature of the second blinded secret, k) thetrusted client is configured to encrypt the second blinded secret andthe digital signature of the second blinded secret using the public keyof the first client obtaining a second public encrypted secret, l) thetrusted client is configured to send to the server, the second publicencrypted secret, m) the server is configured to forward the secondpublic encrypted secret, n) when the first client receives the secondpublic encrypted secret from the server, the first client is configuredto decrypt the second public encrypted secret using the private key ofthe first client obtaining the second blinded secret, o) the firstclient is configured to verify the digital signature of the secondblinded secret using the public key of the trusted client,
 10. Thesystem according to claim 9, wherein: p) the first client is configuredto cryptographically unblind the second blinded secret with the randomvalue, obtaining an encrypted secret, q) the first client is configuredto sign the encrypted secret using the private key of the first clientobtaining a digital signature of the encrypted secret, r) the firstclient is configured to send to the server, the encrypted secret and thedigital signature of the encrypted secret, s) when the server receivesthe encrypted secret and the digital signature of the encrypted secret,the server is configured to verify the digital signature of theencrypted secret using the public key of the first client, and if thedigital signature of the encrypted secret is valid, the server isconfigured to encrypt the encrypted secret with the public key of theserver obtaining a double-encrypted secret and storing thedouble-encrypted secret in the server.
 11. The system according to claim8, wherein the first client, the at least one trusted client, theserver, and the blockchain system are hardware.